[OSPF] draft-bhatia-karp-ospf-ip-layer-protection-03.txt
Curtis Villamizar <curtis@occnc.com> Thu, 31 March 2011 08:22 UTC
Return-Path: <curtis@occnc.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98C883A6B2B; Thu, 31 Mar 2011 01:22:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.534
X-Spam-Level:
X-Spam-Status: No, score=-2.534 tagged_above=-999 required=5 tests=[AWL=-0.065, BAYES_00=-2.599, SARE_RMML_Stock10=0.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x04LC7-09B+a; Thu, 31 Mar 2011 01:22:14 -0700 (PDT)
Received: from harbor.orleans.occnc.com (harbor.orleans.occnc.com [173.9.106.135]) by core3.amsl.com (Postfix) with ESMTP id 6BC923A6826; Thu, 31 Mar 2011 01:22:14 -0700 (PDT)
Received: from harbor.orleans.occnc.com (harbor.orleans.occnc.com [173.9.106.135]) by harbor.orleans.occnc.com (8.13.6/8.13.6) with ESMTP id p2V8NrGN047454; Thu, 31 Mar 2011 04:23:53 -0400 (EDT) (envelope-from curtis@harbor.orleans.occnc.com)
Message-Id: <201103310823.p2V8NrGN047454@harbor.orleans.occnc.com>
To: "karp@ietf.org" <karp@ietf.org>, "ospf@ietf.org" <ospf@ietf.org>
From: Curtis Villamizar <curtis@occnc.com>
Date: Thu, 31 Mar 2011 04:23:53 -0400
Sender: curtis@occnc.com
Subject: [OSPF] draft-bhatia-karp-ospf-ip-layer-protection-03.txt
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: curtis@occnc.com
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2011 08:22:15 -0000
If a challenge response and session ID is going to be used, the nonce
need not be carried after the session-id is negociated.
The purpose of a nonce is to provide a challenge which the other end
must encrypt and send back using a shared key or its private half of a
public/private key pair. The nonce in both directions plus a session
key must be exchanged and then after that the session key is used. To
prevent replay, the session key and a monotonically increasing
sequence number must be exchanged for subsequent packets.
In pictures:
session + challenge1 ->
<- session + response1 + challenge2
session + response2 ->
where:
response1 = encrypt(session + challenge1)
response2 = encrypt(session + challenge2)
If you are going to keep that sort of method, then it needs to be used
correctly. Only the session ID is needed after negociation.
It would be better to exchange a session key rather than just a
session ID. The reason to do this is so as not to use the same
session key over a long period of time and to use the shared or
public/private keys infrequently to provide very little data on which
to try to reverse engineer the keys.
I don't have strong feeling about whether this type of session ID
should be used or whether the monotonicly increasing reboot count
would be sufficient. I have some concerns about a CPU card going down
or entire router catching fire and being replaced and not knowing what
the reboot count was on the old CPU. The challenge/response has no
requirement for a monotonically increasing reboot count variable.
This may be a call for OSPF but KARP buy-in
IMHO this conversation should be directed to either OSPF or KARP for
now and not both but I cross posted since Manav cross posted a request
to consider the security mechanisms in this draft. OTOH, this sort of
session key negociation could be generic to other protocols (and quite
frankly I borrowed the idea from the well documented kerberos tgt
exchange and other challenge reponse use).
Curtis
- [OSPF] draft-bhatia-karp-ospf-ip-layer-protection… Curtis Villamizar
- Re: [OSPF] [karp] draft-bhatia-karp-ospf-ip-layer… Curtis Villamizar